25 biggest government data breaches ever reported

We seem to continually be hearing about one data breach or another. Indeed, the likelihood is that most organizations will experience some sort of breach at some point. And every institution is vulnerable, no matter what sector it’s in. This includes government organizations such as national databases, healthcare institutions, veteran’s departments, critical infrastructure, and more. Many of these breaches are hugely significant, with some of the largest government data breaches involving hundreds of millions of records.

Read on to find out about which government organizations across the globe have been hit by the largest reported data exposure incidents.

These are the biggest reported government data breaches of all time:

1. Aadhar (India, 2018)

Breach Size: 1.1 billion records

Aadhaar homepage.

The Unique Identification Authority of India (UIDAI) biometric system (named Aadhaar) is a national ID database run by the Indian government. It holds records of over one billion Indian residents. In 2018, Aadhaar reportedly suffered multiple data breaches.

In January, a newspaper investigation found that criminals were providing access to the Aadhaar database in exchange for Rs500 ($6.82). Those who purchased access to the database were also offered “software” for printing out Aadhaar cards, for a further Rs300 ($4.09).

The breach was reportedly the result of malicious parties misusing a scheme that enabled Aadhaar agents to deal with issues such as address changes and name misspellings. Exposed details included names, addresses, photos, phone numbers, and email addresses. Biometric data was apparently not involved.

In another data leak in March 2018, a utility company granted access to Aadhaar information, including names and identity numbers. Everyone with an Aadhaar number was reportedly affected by the breach.

2. Brazil Health Ministry (Brazil, 2020)

Breach size: 243 million records

A huge data exposure impacting more than 240 million Brazilians and lasting over six months was reported in December 2020. During that time period, personal details of all those registered with Brazil’s national health system, Sistema Único de Saúde (SUS), was exposed. The data set included full names, phone numbers, addresses, and medical records. It’s estimated that 32 million of the records pertained to deceased Brazilians.

3. Voter Database (USA, 2015)

Breach Size: 191 million records

A 2015 breach saw the exposure of a database that contained information regarding over 190 million US voters. It housed details including names, voter IDs, addresses, dates of birth, phone numbers, political affiliations, and voting histories since 2000. The breach was a result of a misconfigured database that was left open online.

4. Brazil government (Brazil, 2019)

Breach Size: 92 million records

A 16 GB database, alleged to be owned by Brazil’s government was posted for sale on the dark web in October, 2019. The database contained personal information of 92 million Brazilian citizens. There was speculation that the number fairly closely matched the number of citizens who were employed at the time. The data seller claimed that information included names, mother’s names, dates of birth, gender, and taxpayer IDs. The database was being auctioned off with a starting bid of $15,000.

5. National Archives and Records Administration (NARA) (USA, 2009)

Breach Size: 76 million records

The NARA website.

In March 2009, NARA learned that an external hard drive was missing from one of its facilities, possibly since October 2008. It contained data from the Clinton Administration Executive Office of the President that included Personally Identifiable Information (PII) of former Clinton Administration staff as well as people who visited or contacted the White House. Data included names and Social Security Numbers (SSNs).

6. Philippines’ Commission on Elections (Philippines, 2016)

Breach Size: 55M

A database containing details of all registered voters in the Philippines (around 55 million people) was exposed online. Reports suggest that records may have included sensitive PII such as passport information and fingerprints. The leak occurred shortly after the Philippines’ Commission on Elections website was defaced although it’s not clear if the two attacks were linked.

7. Turkish citizenship database (Turkey, 2016)

Breach Size: 49.6M

An online database housing information on all 49.6 million Turkish citizens was exposed. Leaked information included names, parents’ names, national ID, date of birth, city of birth, gender, full address, and ID registration city and district.

8. IRS (USA, 2016)

Breach Size: 28.2M

In 2016, the Treasury Inspector General for Tax Administration (TIGTA) reported that IRS employees were sending unencrypted emails that contained taxpayers’ personally identifiable information. Based on their sample data, TIGTA extrapolated that IRS employees were inadvertently exposing (through unencrypted communication) the details of more than 28 million taxpayers each year.

“Based on our sample results, we estimate that 11,416 SB/SE Division employees sent 95,396 unencrypted e-mails with taxpayer PII/tax return information for 2.4 million taxpayers during the four-week period of our sample. If this four-week period is typical, we estimate that more than 1.1 million unencrypted e-mails with taxpayer PII/tax return information of 28.2 million taxpayers could be sent annually.”

9. The Department for Education UK (UK, 2020)

Breach Size: 28M

In the UK, a 2020 incident saw betting companies provided with access to a database belonging to the Department of Education (DfE). The database is actually that of the Learning Record Service that collects information about learners who are pursuing certain post-14 qualifications such as GSCEs and A-levels. It is believed to have housed the data of 28 million children. Betting agencies received the data through a third-party agreement (that was later rescinded) and were using it for website verification purposes.

10. U.S. Dept. of Veterans Affairs (USA, 2006)

Breach Size: 26.5M

The US Department of Veteran Affairs site.

A laptop and storage device containing a trove of sensitive data were stolen from a home belonging to an employee of the Department of Veteran Affairs. It’s believed the devices held information on more than 26 million veterans (all those discharged since 1975). The data included names, dates of birth, social security numbers, addresses, and phone numbers.

Both items were discovered around two months after the theft and an FBI investigation determined that the information hadn’t been copied. However the department was held accountable for lacking sufficient information security policies and for failing to guard sensitive data.

11. HM Revenue and Customs (UK, 2007)

Breach Size: 25M

Supposedly confidential information regarding 25 million UK child benefit recipients was potentially exposed when computer disks containing the information were misplaced. The disks went missing while they were being transported from the HMRC National Insurance contributions office in Newcastle to the headquarters of an insurer in Edinburgh.

12. Office of Personnel Management in Washington, DC (USA, 2015)

Breach Size: 21.5M

A database containing security clearance application records of government workers was stolen from computer networks belonging to the Office or Personnel Management in Washington. There were 21.5 million entries in the database, which included SSNs and other sensitive information.

13. Virginia Department of Health (USA, 2009)

Breach Size: 8.3M

In May 2009, the state of Virginia received a ransom demand from hackers who had stolen the records of more than 8 million patients, as well as 35 million prescription records. They had broken into the Prescription Monitoring Program (PMP) website, a pharmaceutical database run by the states, and were demanding $10 million in exchange for the safe return of the data. Details may have included names, addresses, dates of birth, SSNs, and medication information.

The PMP site, overseen by the Virginia Department of Health Professions, was defaced with a ransom note but shut down by the state shortly after. The state Governor at the time, Timothy Kane, refused to succumb to the demand, but it appears the hackers did not follow through with their threat to sell the data.

Part of the ransom note read: “You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I’ll go ahead and put this baby out on the market and accept the highest bid.”

14. Office of the Texas Attorney General (USA, 2012)

Breach Size: 6.5M

Early in 2012, the Office of the Texas Attorney General released disks containing a voter database file to plaintiff attorneys that mistakenly included sensitive details. Of the roughly 13 million records, it’s estimated that about half included SSNs. The information was reportedly only viewed by two analysts who signed declarations stating that they didn’t make copies of or share the information.

15. South Carolina Department of Revenue (USA, 2012)

Breach Size: 6.4M

The South Carolina DOR website.

The computer system of the South Carolina Department of Revenue (DOR) was the target of a massive cyber attack in October 2012. The attacks left millions of records vulnerable, with many including SSNs, debit and credit card information, and information about children and businesses. Initial reports suggested that 3.6 million people were involved, but it later transpired that the number was actually 6.4 million.

16. Georgia’s Secretary of State Office (USA, 2015)

Breach Size: 6.1M

A purported error in creating a standard file resulted in the exposure of personal information on more than 6 million voters. The “State Download File” was created by the office of the Georgia Secretary of State and issued to the press and political parties. It was intended to hold minimal voter data such as name, address, race, and gender.

A November 2015 iteration of the disk contained much more information including dates of birth, SSNs, and driver’s license numbers. A systems programmer was disciplined over the error, but it’s unclear exactly what his role was.

17. Kansas Department of Commerce (USA, 2017)

Breach Size: 5.5M

A database housing information from job sites was hacked in March 2017, resulting in the breach of 5.5 million records. These contained the SSNs of people across 10 states who had submitted their information to the job platforms.

18. Bulgaria (Bulgaria, 2019)

Breach Size: 5M

In mid-2019, a computer programmer was arrested in connection with the theft of personal data pertaining to almost every adult in Bulgaria. The country’s national tax agency was the target of a hack that exposed the information of up to five million foreign residents and Bulgarian citizens. Data included names, addresses, social security information, and incomes.

19. Tricare (USA, 2011)

Breach Size: 4.9M

A 2011 incident resulted in the potential exposure of 4.9 million Military Health System patients. The breach involved a Tricare business associate, Science Applications International Corp. The company reported that backup tapes holding electronic health records were stolen from an employee’s car while they were transporting the tapes between two federal facilities, a routine practice.

Data on the tapes included names, SSNs, phone numbers, addresses, and personal health data, such as lab tests, prescriptions, and clinical notes. The affected parties were patients who had received care in military treatment facilities in the San Antonio area.

20. Advocate Health Care (USA, 2016)

Breach Size: 4M

The Advocate Health Care banner.

Another major HIPAA data breach affected over four million individuals in 2016, this time involving Advocate Medical Group. Four laptops were stolen from the organization’s administrative buildings in Illinois. The laptops were unencrypted and contained the PII of millions of patients as well as clinical data. Items included names, addresses, SSNs, dates of birth, doctor names, medical record numbers, and health insurance details.

21. Texas Comptroller’s Office (USA, 2011)

Breach Size: 3.5M

The Texas Comptroller’s Office suffered a huge breach that is believed to have lasted over a year. The unencrypted data of around 3.5 million Texans was erroneously made available on a website that could be accessed by the public. The information included SSNs and home addresses.

The breach was prompted by the failure to follow multiple internal procedures and resulted in the termination of several Comptroller’s Office employees, including the heads of the Information Security and Innovation and Technology departments.

22. Driving Standards Agency (UK, 2007)

Breach Size: 3M

Shortly after the HM Revenue and Customs incident discussed above, another UK ministry breach occurred, this time involving a contractor working with the Driving Standards Agency. The details of three million driving theory test candidates were held on a hard drive that was misplaced in the US. The device, which contained names, addresses, phone numbers, emails, and fee payment information (but no financial data), went missing from a facility in Iowa.

23. Georgia Department of Community Health, Affiliated Computer Services (ACS) (USA, 2007)

Breach Size: 2.9M

The data of 2.9 million recipients of Medicaid and children’s health care (PeachCare) in Georgia went missing in July 2007. The breach involved Affiliated Computer Services, a contractor that handles health care claims. The organization lost a CD that contained names, addresses, SSNs, and birth dates. The breach impacted those added to the database between June 2002 and June 2006.

24. Russia’s Federal Security Service (FSB) (Russia, 2019)

Breach size: 7.5 terabytes

In mid-2020, it emerged that hackers had managed to retrieve 7.5 TB of data from FSB contractor, SyTech. The hacking group breached SyTech’s systems and recovered data related to secret FSB projects. These included plans to scrape social media, de-anonymize Tor browsing, and help segregate the state’s internet from that of the rest of the globe. The hacking group responsible, 0v1ru$, shared the data with a larger group called Digital Revolution. The latter passed on the information to media outlets.

25. SolarWinds (USA, 2020)

Breach Size: Unknown

The SolarWinds website.

A massive 2020 SolarWinds breach (dubbed SUNBURST) is still under investigation so its fallout is yet unknown. We do know that it has impacted a number of government agencies, consulting firms, and business customers. The attack was reportedly carried out by Russian spies.

In December, it was revealed that a SolarWinds software system called Orion was hacked. Late in 2019, attackers broke into SolarWinds’ systems and inserted malicious code into Orion. When SolarWinds sent out software updates to Orion users (including many major corporations), the updates contained the hacked code.

The change created a backdoor for hackers to access the IT systems of Orion users. The malicious actors used this access to insert additional malware that enabled them to spy on affected organizations. Deployed in February 2020, the breach was sophisticated enough that it went undetected for months, until FireEye made the discovery in December.

Around 33,000 companies use Orion, but 18,000 installed the infected version. According to FireEye—the cybersecurity firm that discovered the breach—only 50 of these were “genuinely impacted” by the breach, but that was back in December and later reports peg that number as higher.

SolarWinds provides software to many Fortune 500 companies, and several well-known firms including Cisco, SAP, Deloitte, and Intel are believed to have been impacted. Government agencies impacted included the U.S. Departments of Commerce, Energy, Justice, State, and Treasury.

See also: